Thread-Based Sandboxing for Untrusted Software Execution

This document pertains generally, but not by way of limitation, to security and memory access techniques used in connection with trusted execution environments and operating system environments, including those used by a real-time operating system (RTOS).

Many computing system deployments are designed to support robust combinations of software, including modular libraries and applications that are deployed in an operating system to support system functionality. Software installed in an operating system may be sourced from a variety of third-party developers or open source development projects, including in the form of third party libraries that implement programs, functions, and code modules to enable the operating system to communicate with different combinations and types of hardware and peripherals.

The use of third party libraries introduces a number of benefits for a computing system implementer (e.g. system integrator or manufacturer), including faster development and deployment times, the introduction of familiar experience and functionality for customers, and the like. However, the use of libraries from untrusted sources also introduces security concerns. In many scenarios, the computer system integrator/manufacturer and the computer system user/customer must choose to either implicitly trust that the third party libraries and software are secure; or, the system must be adapted to minimize harm from malicious software and security exploits. As a result, many computer system integrators/manufacturers and computer system users/customers will encounter security and functionality tradeoffs when attempting to integrate software from third parties.

This disclosure describes various method, system, and software instruction implementations for controlling access to regions or areas of memory in a secure/non-secure processing environment configuration, when a third party application or library is executed. Specifically, techniques are described to sandbox a thread associated with this application or library within a non-secure processing environment, by temporarily associating other threads of the non-secure processing environment with a secure processing environment and thus restricting access of the sandboxed thread to memory resources associated with the other threads.

In some aspects, the techniques described herein relate to a method of controlling memory access in a non-secure processing environment, the method including: providing a memory locking service in a computing device, the computing device including a secure processing environment and a non-secure processing environment, with the memory locking service being executed in the secure processing environment; receiving a request with the memory locking service to establish a sandbox for a particular thread, the particular thread executing in the non-secure processing environment and associated with at least one specified memory region; and associating other threads of the non-secure processing environment with the secure processing environment, such that the particular thread is unable to access memory resources of the other threads while the particular thread is sandboxed.

In some aspects, this method further includes receiving a subsequent request with the memory locking service to remove the sandbox for the particular thread, and re-associating the other threads of the non-secure processing environment with the non-secure processing environment. In some aspects, this method further includes scenarios where the request and the subsequent request are provided from a scheduler of an operating system, such as based on an untrusted source of code for the particular thread.

In some aspects, the method includes associating resources of an operating system with the secure processing environment, such that the particular thread is unable to access memory resources of the operating system while the particular thread is sandboxed. In some examples, access to the memory resources for the non-secure processing environment and the secure processing environment is controlled by a Security Attribution Unit and an Implementation Defined Attribution Unit.

In some aspects, the method includes the particular thread being associated with at least one additional memory region for at least one message buffer that is accessible in the non-secure processing environment, such that the at least one message buffer is used to communicate data with at least some of the other threads.

In some aspects, the request is received with the memory locking service via an application programming interface, with such an application programming interface being configured to receive at least one command to sandbox the particular thread based on a thread identifier.

In some aspects, the techniques described herein relate to a non-transitory machine-readable storage medium including instructions, which when executed by processing circuitry of a computing device, causes the processing circuitry to perform operations of the aforementioned method or related processing actions.

In some aspects, the techniques described herein relate to a computing system, including: memory; a processor configured to provide a non-secure processing environment and a secure processing environment, the secure processing environment to provide a memory locking service; circuitry configured to implement at least one memory protection unit, the at least one memory protection unit to control access to regions of the memory that are associated with the non-secure processing environment or the secure processing environment; and circuitry configured to provide a security attribution unit adapted to: receive a request with the memory locking service to establish a sandbox for a particular thread, the particular thread executing in the non-secure processing environment and associated with at least one specified memory region; and associate other threads of the non-secure processing environment with the secure processing environment, such that the particular thread is unable to access memory resources of the other threads while the particular thread is sandboxed.

In some aspects, the techniques described herein relate to adaptations of this computing system, further configured to perform operations of the aforementioned method or related processing actions.

The present inventors have recognized the technical challenges of existing approaches for operating a computing environment using software provided by a third party. The use of untrusted third party libraries for certain types of system functions—especially in communication software exposed to the outside world or other parties—may introduce a variety of security concerns. In a worst case scenario, vulnerabilities in the third party libraries might be exploited and result in data corruption or data loss in the computing system.

The following introduces functionality to carefully execute such untrusted libraries—even in simplified processing environments—by sandboxing the execution of a specific thread and preventing the specific thread from accessing or interfering with memory and other related resources of the computing system. This approach builds on a primitive established from memory access locking implemented in a Security Attribution Unit (SAU) or a similar security/memory access controller. With this approach, the operating system (e.g., a real-time operating system or “RTOS”) uses the memory access locking procedure to selectively restrict any accessible memory—throughout the execution of the untrusted thread—to only certain memory locations associated with the thread.

The following sandboxing approach can therefore enable software deployments to safely execute untrusted code, including code by in a third party library via separate threads. This sandboxing approach is applicable when the third party threads have clearly defined memory access requirements, and where the memory accessed by individual third party threads do not overlap with critical sections of memory that are holding system configuration and runtime data. Using this sandboxing approach, the memory areas that are not associated with these libraries can be secured and isolated from the sandboxed thread, so that the sandbox boundary will never include critical data. The sandbox then can be removed from the thread to enable first party or other code to execute. Moreover, because the computing system provides the ability to implement the sandbox on a thread-by-thread basis, the operating system will be aware when the sandbox is to be applied, as well as the boundaries of the sandbox.

One applicable use case for this technique is the use of third party libraries for a communication toolbox, such as a Bluetooth Low Energy (BLE) software stack that includes multiple components (e.g., driver, middleware, controller) sourced from multiple parties. The following compartmentalization techniques can ensure that the threads that execute third party code will not access memory locations beyond the allotted buffers needed to accomplish inter-component communications.

Additional implementation examples are provided after an introduction of an approach for secure memory access and control. This secure memory access and control is described based on the activation of a SAU function in a Trusted Firmware-M (TF-M) environment, which implements a secure processing environment (SPE) for certain ARM architectures.

A divided secure/non-secure processing environment can be used to control memory accesses between an unsecure processing environment and secure processing environment (which may include a Trusted Execution Environment (TEE)). In an example, memory access control functionality is enabled by a service that causes selective locking of non-secure memory locations, so that specific non-secure memory regions can be upgraded, on-demand, to a secure state. This service can be accompanied by functionality that causes access to the upgraded secure memory regions to be trapped and handled. This memory access control functionality, if applied to a larger area of memory, can be used to lock down any resources not associated with a particular thread and thus sandbox the execution of the particular thread.

As an overview, TEEs can be hosted within many types of computing processors and processor architectures. TEEs are generally designed to provide the following attributes: confidentiality, so that data in the TEE can only be accessed by authorized programs or code inside the environment; integrity, to prevent unauthorized entities from altering data or code of the TEE; and isolation from unsecure or untrusted entities, such as by using a secure, isolated area of memory for data and executing instructions in an area of the processor that is protected from other processes of the processor (e.g., protected with use of encryption). TEEs are often enabled through specific hardware support functions, such as functions directly provided by a secure processor included within the processor circuitry. Some example types of TEEs that are implemented in current processor architectures include AMD® SEV (Secure Encrypted Virtualization), Intel® SGX (Software Guard Extensions), and ARM® TrustZone. Although the implementation specifics vary for these types of TEEs, each of these TEEs generally provide private regions of memory and execution to enable the foregoing aspects of confidentiality, integrity, and isolation.

The following implementation details for memory access control are applicable to Trusted Firmware-M (TF-M), which provides a secure processing environment for execution on ARM® processor architectures (e.g., the Cortex-M33, Cortex-M23, Cortex-M55, Cortex-M85 processors, which include TrustZone-M security extensions). However, applicability to other environments, architectures, and products will be apparent. TF-M is an open source standard managed by the Trusted Firmware organization that provides an implementation of the TrustZone-M System-on-a-Chip (SoC) security extensions. TF-M can be extended with the following approaches to provide an integrated service that controls the selective locking of non-secure memory through a simple API.

The following examples thus discuss adaptation and use of hardware modules including the Security Attribution Unit (SAU) provided by TrustZone-M processors (e.g., TrustZone on Armv8-M architectures). A memory locking service can be provided within a TF-M environment to interface with the SAU to upgrade locations or regions of non-secure memory—during runtime—into secure regions of memory. Additionally, the following discusses how access to the upgraded secure memory regions can be trapped and handled within the TF-M environment so that secure domain software developers can monitor such accesses and perform access policy enforcement in response to the accesses.

This functionality can be added within TF-M or another TEE implementation to expose a security primitive that provides insight and control to memory accesses, especially in a non-secure domain that uses shared memory. This functionality can be implemented without additional hardware modules and/or new or proprietary processor extensions. Additionally, this functionality can be easily distributed and implemented with a minimal change to the TEE environment, such as by a small downstream fork of TF-M.

is a simplified block diagram depicting an example security architecture of a computing devicethat can implement various aspects of this disclosure. The computing deviceis depicted as providing processing resourcescomposed from logical layers including firmware, data, peripherals, memory, and CPU resources (with other logical layers not depicted for simplicity). Although not directly depicted, the processing resourcesof the computing devicemay be used to provide a real-time operating system (RTOS) and a number of applications within the RTOS. As used herein, an RTOS generally refers to an operating system that provides some aspect of real-time computing applications, such as for processing data and events that have some time constraint or requirement. Non-limiting examples of a computing device that provide an RTOS include a mobile computer, an Internet of Things (IoT) device, an autonomous or semi-autonomous robot, an industrial control system, a medical device, and the like.

depicts, at a high level, a separation between secure and non-secure areas of the logical layers. The processing resources as arranged in a TrustZone-M core (e.g., as provided by ARM processors v8 and thereafter) may exist in one of two domains: a non-trusted domainthat provides a non-secure processing environment (NPSE) (shown without shading), or a trusted domainthat provides a secure processing environment (SPE) (shown with shading). As a result, system hardware and software resources are generally partitioned to be divided between the trusted (secure) and non-trusted (non-secure) domains.

The non-trusted domainis associated with (and uses) instructions and data in firmwareand application data. The non-trusted domainalso has access to non-secure areas of peripherals; memory; and CPU resources. The trusted domain, in contrast, is associated with (and uses) instructions and data in secure services, secure firmware, and secure data. The trusted domainhas access to a secure area of peripherals, a secure area of system memory, and a secure area of CPU resources, in addition to the non-secure areas of peripherals; memory; and CPU resources. In other words, the non-trusted domainis restricted and can only access non-secure resources, whereas the trusted domainis unrestricted and can access all resources including the entire memory space of memory.

As discussed in more detail in, below, each processing domain uses the SAU, an Implementation Defined Attribution Unit (IDAU), and a respective memory protection unit (MPU) to enforce memory isolation and confidentiality. The respective MPU enforces the strict memory division provided by the operating mode, including in system memoryand in some examples for data in buses and peripherals as enforced by respective controllers.

Many applications of the computing devicemay be implemented in the non-trusted domain, such as the application logic and multi-threading support provided by an RTOS (as applicable). However, any piece of code or data that exists within the non-trusted domain—including privileged code such as the RTOS and any interrupt handler—is vulnerable to modification from other entities operating in the non-trusted domain. Thus, even with trusted/non-trusted domain protection, an MPU cannot be exclusively relied upon to control memory access for important system functions, because in an NSPE the memory accesses are designed to be modifiable and controllable by any non-secure privileged code.

With the following approach, secure domain memory protection is extended to protect and identify inappropriate memory accesses in a non-trusted domain of the NPSE. This memory protection approach can be implemented in a processing environment such as TF-M without additional hardware changes—although specialized hardware changes to a processor architecture can be additionally or alternatively used to implement aspects of the present techniques.

In an example, the memory protection techniques are implemented using software provided in an executable partition in the SPE. TF-M provides the concept of “partitions”, which are self-contained payloads that can be enabled or disabled (e.g., through a single compile-time option as part of the TF-M configuration before the binary is built). These partitions have different levels of privilege, the lowest being the application service partitions. An advantage of such a design is that partitions can be built out-of-tree, enabling partition developers to simply link their partition into upstream TF-M code. Accordingly, implementing the memory protection approach as an executable partition (or similar payload) can help provide portability and distributability for a variety of SPE implementations.

In a TF-M configuration, partitions can be used to host a service that exposes one or more APIs to other TF-M partitions and non-secure code. For example, a memory locking service can expose lock and unlock request APIs (or, a single API) to the non-secure domain. This API can be configured to receive a memory address region or regions as an API argument. Additionally, in a TF-M configuration, a partition is used to provide an Access Policy Management Engine that manages and enforces access control policies for secure services. The configuration of this engine and partitions can be defined (e.g., at compile time by the partition developer) to evaluate and determine whether a memory lock or unlock request is valid or invalid.

is a flow diagram depicting an example of request processing in a TF-M implementation. This flow diagram shows how a security attribution unit, SAU, is adapted to handle memory requests such as a memory requestfrom software executing in a CPU. The SAUis provided as part of the TrustZone-M core specification, and allows a system designer to fine-tune memory segmentation between the secure and non-secure domains.

The SAUuses system-level controlto segment and control the SPE and the NPSE and associated resources as depicted in. Additionally, the SAUis extended to implement a memory locking service, for locking specific memory locations used by the NPSE. In TrustZone-M systems, an IDAU(Implementation Defined Attribution Unit) provides a fixed division of memory between trusted and non-trusted memory—which the hardware vendor decides when designing the SoC—while the SAUprovides a degree of flexibility to modify that division by providing a set of MPU-like registers that can be modified by SPE software. MPUs, such as non-secure MPUand secure MPU, on the other hand, evaluate software “privilege” to decide whether a particular resource is accessible or not. To ensure that previous generation software designs remain compatible, these MPUs are provided within each domain to allow for software in the respective domain to maintain privileges as before. Accordingly, the SAUand IDAUcombination decides if a resource is accessible based on the security domain (trusted/non-trusted), and forwards the access request to the relevant domain's MPU. The respective MPU then checks the privilege state of the processor to determine if the resource is accessible under the current privilege state.

Thus, in operation, the SAUand IDAUare configured to handle valid secure requests with a secure memory protection unit (secure MPU, which has access to all system resources) and to handle non-secure requests with a non-secure memory protection unit (non-secure MPU, which has access to only non-secure system resources). If a request is valid, the non-secure MPUor secure MPUrespectively will forward the memory request to access system memory/resources.

The memory locking is implemented by repurposing the SAUto respond to API requests provided to a memory locking service. In example TrustZone-M implementations, the 32-bit addressable memory region is segmented into secure and non-secure regions based on the 28th bit of the memory address. Processing of the memory address can be performed by the IDAU, since the IDAUoperates as a hardware unit placed on the bus that arbitrates access to resources. (This behavior may be adapted by an SoC designer by modification of the IDAU). As an example, if the bit of the memory address is set, then this memory address is only accessible by the secure domain via the IDAU. If in the secure mode, the secure memory location can be accessed; if not in the secure mode, the attempted access will cause a fault. This use of bit establishes a fixed division in the memory map. Although this division is sufficient for a majority of applications, the SAUprovides an ability to selectively upgrade other regions or addresses of the non-secure memory of the NPSE into a secure state—similar to what would occur if these memory regions or addresses were designated as part of the SPE by the IDAU.

To enable the memory locking with the memory locking service, the locking partition checks (e.g., during system bootup) if the SAUcan be re-programmed without breaking other TF-M services. The SAUhas a limited number of memory regions that it can concurrently upgrade into a secure state—in some implementations this is a maximum of eight memory regions, but this number may be increased in some settings. If other system services have upgraded all eight memory regions into a secure state, then the locking partition cannot operate fully and the memory locking servicecan simply ignore all additional locking requests that arrive via the API. Otherwise, if additional memory regions are available to be upgraded, the memory locking servicewill attempt to use a first available region of the SAUto service the memory locking request(s).

Once a memory region is locked (e.g., a memory region is upgraded by the SAUto the secure domain), then this memory region cannot be directly accessed by the non-secure domain. If the non-secure domain accesses that memory region, a fault will occur and the Secure Fault Handler will immediately launch. In some settings, the Secure Fault Handler may be configured to reset the processor in response to the fault. However, a special subroutine may be used to determine whether the fault arose due to accessing a locked region, to then handle the fault with the partition's access management policy (managed by an access management policy engine). If no fault processing routine is provided, the Secure Fault Handler may reset the processor.

An access management policy engine can be extended to perform various tasks in response to the attempted memory access, based on a configuration and access policy or policies. If access is permitted, the engine may allow the access to take place by unlocking the region (and optionally, setting a timer to re-lock the region) and returning the code execution back to the non-secure domain. The access management policy engine can also log which instruction accessed the region and calculate the frequency of accesses, as the Secure Fault Handler provides this information.

Logging data from such faults may be useful for auditing and investigation purposes. The logged data, for example, may be fed to a machine learning or other AI model that has been trained to classify whether the particular type of access is valid or invalid. In other scenarios, the Secure Fault Handler can simply reset the processor and raise an alarm if the particular type of access is valid or invalid. Accordingly, the lock mechanism provided by the memory locking serviceis essentially a trapping scheme since it traps accesses to locked memory locations using the SAU.

The use of this memory-locking approach can obtain a significant amount of information from the Secure Fault Handler that can be used for improving or optimizing access policy management. Further data analysis may provide a source of information for machine learning models to be trained and implemented. However, as discussed above, the use of partitions and adaptation of the SAUdoes not necessarily require hardware changes or additional hardware, and allows deployment in a variety of existing SPE/NPSE implementations.

Moreover, this memory-locking approach can be used for a variety of use cases. This may include security-sensitive operations such as a firmware update initiated from a non-secure domain, which is tied to secure boot functions but needs to be isolated from regular RTOS processes. Another use case may include the tracking and storing of cryptography variables, data structures that include keys, sensitive application data, and the like. Thus, the present approaches allow a temporary upgrade to common aspects of data used in a NSPE, while ensuring that such data can be securely maintained and not leaked to or tampered with by unauthorized entities.

is a flowchart of an example method of implementing secure memory locking in a non-secure processing environment. This method may be implemented by a combination or coordination of a specially configured memory locking service, Security Attribution Unit, Implementation Defined Attribution Unit, Access Policy Management Engine, Memory Protection Unit, Secure Fault Handler, and other entities discussed above. These and other services, engines, and modules are configured to provide a SPE and NSPE as discussed above. However, other extensions and implementations-including with specialized processor instructions or extensions-will be apparent.

At, an operation is performed (e.g., with a processor that provides a non-secure processing environment and a secure processing environment) to execute a partition in a secure processing environment of the computing device/system. In some examples, this memory locking service is implemented as an isolated partition in the secure processing environment. This partition starts or configures a memory locking service, such as memory locking servicediscussed above.

At, an operation is performed (e.g., with circuitry configured to provide a security attribution unit, such as SAUdiscussed above) to receive and process a request with the memory locking service to lock a specified memory region of the computing device. This specified memory region, before being upgraded to a locked state, is associated with the non-secure processing environment. In an example, this request may be received with the memory locking service via an API, such as an API that is configured to receive at least one command with specific parameters or specifications to lock or unlock at least one memory region, address, address range, etc. In other examples, an API may be configured to receive a thread identifier (thread ID), and temporarily lock/secure all non-secure memory areas that are not associated with the specified thread. In this way, the API may be configured to perform memory locking on an inclusion basis (e.g., only to lock a specified location or area of memory) or on an exclusion basis (e.g., to lock all but the specified location or area of memory). In other examples, an API may be configured to receive a thread identifier (thread ID), and temporarily lock/secure all non-secure memory areas that are not associated with the specified thread. In this way, the API may be configured to perform memory locking on an inclusion basis (e.g., only to lock a specified location or area of memory) or on an exclusion basis (e.g., to lock all but the specified location or area of memory).

At, an operation is performed (e.g., with circuitry configured to provide the security attribution unit, such as SAUdiscussed above) to associate the specified memory region with the secure processing environment. In some examples, the access to memory regions for the non-secure processing environment and the secure processing environment is controlled by a Security Attribution Unit (SAU) and an Implementation Defined Attribution Unit (IDAU) such as is provided in a TrustZone-M processor architecture. These secure versus non-secure environments may be configured as discussed with reference to, above.

At, an operation is performed (e.g., with the processor or other circuitry) to identify an access attempt to the specified secure memory region, such as an access attempt that is received from the non-secure processing environment. In some examples, this may include logging the access attempt to the specified memory region.

At, an operation is performed (e.g., with the processor or other circuitry) to control access to the specified secure memory region, based on a policy, configuration, or other deterministic criterion. In an example where a policy is used, controlling the access attempt includes granting access to the specified memory region if the access attempt satisfies the policy, and denying access to the specified memory region if the access attempt does not satisfy the policy.

At, an operation is performed (e.g., with circuitry with configured to provide the security attribution unit, such as SAUdiscussed above) to receive and process a request with the memory locking service to unlock (e.g., release the lock or “unsecure”) the specified memory region of the computing device. This operation may include receiving and processing a subsequent request, via the API, to release the lock on the specified memory region.

At, an operation is performed (e.g., with circuitry with configured to provide the security attribution unit, such as SAUdiscussed above) to change the specified secure memory region back into a non-secure memory region. This operation may include associating the specified memory region with the non-secure processing environment.

A variety of computing system deployments may incorporate third party software and libraries. In a possible threat model, assume that a remote attacker has one entry point into the system such as a wireless/wired networking interface, and the attacker is aware of vulnerabilities in the software controlling that entry point. The software controlling that entry point might be vulnerable to a bug such as a buffer overflow. The software controlling that entry point may be provided by a third party and might not be fully code-reviewed—being a binary blob, or being provided by a vendor under some form of mutual agreement. An attacker may attempt to use at least one such vulnerability to try to corrupt the rest of the system's memory or launch some form of control-flow integrity attack (such as return oriented programming (ROP) attacks).

This threat model is particularly applicable for deployment scenarios that use libraries for specific tasks with outside entities, such as a communication software stack used for Bluetooth Low Energy (BLE) support. BLE software stacks typically include multiple software pieces, broadly divided into three components. First, the “Host” is a set of standardized libraries that the user application calls to enable Bluetooth communication. The host provides higher level transport layer protocols, and is the portion of the stack that is called by an application. The host includes highly standardized interfaces. Next, the host-controller-interface (HCI) is an abstraction middleware that processes these calls and sends the calls down to the lowest part of the stack which is called the controller. The HCI is often implemented through a set of queues/buffers in RAM (for a single chip BLE stack configuration) or a physical transport layer, such as UART/SPI/I2C (for a dual chip BLE stack configuration). Finally, the controller provides hardware drivers to interact with the Bluetooth modem. Link Layer protocols are implemented at the controller, and the driver framework is used to talk to the radio at this part of the stack. While in some scenarios, the HCI and the controller can run in separate chips, in many scenarios, it is expected that all three components will execute alongside the application software. Thus, in many cases, depending on the Bluetooth modem design, the HCI and Controller software may be sourced from external, third-party (untrusted) sources. Some modern RTOS implementations (such as Zephyr) execute these three components as separate threads with special buffers to pass information from the Application+Host software threads to the HCI+Controller threads. The execution as separate threads enables thread-based sandboxing and data isolation on respective threads with the following approaches.